IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Roman Danyliw's No Objection on draft-ietf-dprive-unilateral-probing-12: (with COMMENT)

Paul Wouters <paul@nohats.ca> Wed, 20 September 2023 21:32 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10EFAC14CF1A; Wed, 20 Sep 2023 14:32:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r0IIwQiN5gAz; Wed, 20 Sep 2023 14:32:22 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11ACFC14CE42; Wed, 20 Sep 2023 14:32:20 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4RrWvj5VWqz3Hh; Wed, 20 Sep 2023 23:32:17 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1695245537; bh=8NzyY7WEKh+ESea0tuXulpmTu46MmY8jkLaxN98krmE=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=mkX14XP+0tjcaITn5moDsdj1cLqmFPcJ9ZBTbpGBX4dOjnGDA44aQAFMGX5X1mdJL ejtjW6IUmJSzqg556M/UUeS25PENVMEbEc7T3XKS2Karo+ENEn0vwaIHTzvqZQxN65 DTIVRx7Cz1wmcfnEyLZfe+OXXHiaWXEiz4cZpJ8A=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id IlHeF36gkg5g; Wed, 20 Sep 2023 23:32:16 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 20 Sep 2023 23:32:16 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id EBB011069482; Wed, 20 Sep 2023 17:32:14 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id E867E1069481; Wed, 20 Sep 2023 17:32:14 -0400 (EDT)
Date: Wed, 20 Sep 2023 17:32:14 -0400
From: Paul Wouters <paul@nohats.ca>
To: Paul Hoffman <paul.hoffman@icann.org>
cc: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>, "draft-ietf-dprive-unilateral-probing@ietf.org" <draft-ietf-dprive-unilateral-probing@ietf.org>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "brian@innovationslab.net" <brian@innovationslab.net>, Tim Wicinski <tjw.ietf@gmail.com>
In-Reply-To: <C2BFFD12-6C91-4433-91B1-0D6F15B3A446@icann.org>
Message-ID: <6f68e771-fd77-3019-6f8b-ea477acb7b78@nohats.ca>
References: <169515596369.29731.2162345695284193885@ietfa.amsl.com> <C2BFFD12-6C91-4433-91B1-0D6F15B3A446@icann.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/RJELS1qUmFNj-xpRgrnC61eQBMU>
Subject: Re: [dns-privacy] [Ext] Roman Danyliw's No Objection on draft-ietf-dprive-unilateral-probing-12: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Sep 2023 21:32:26 -0000

On Tue, 19 Sep 2023, Paul Hoffman wrote:

> We don't know. It was pointed out in the WG discussion that some PKIX libraries do different types of verification regardless of what you want them to do.

> Yes, exactly. Even if you can't stop your library from verifying, you must be able to ignore the verification failures.

That might not be the case. As with "null encryption", these modes are
more and more being removed from code bases to avoid exploits.

I also do find the value of using selfsigned certs over ACME certs
on the auth server pretty low. It's pretty easy to give a nameserver
with a static name an automatic ACME based certificate. With the
"opportunistic" part being that if the cert fails, to go back to do53.

Paul

v2.23.0 | Report a Bug | By Email